Broken SSL cert caused by router?
Eygene Ryabinkin
rea+nanog at grid.kiae.ru
Fri Mar 27 00:46:20 UTC 2015
Thu, Mar 26, 2015 at 03:38:55PM -0700, Mike wrote:
> I have a customer however that uses our web mail system now secured
> with ssl. I myself and many others use it and get the green lock. But,
> whenever any station at the customer tries using it, they get a broken
> lock and 'your connection is not private'. The actual error displayed
> below is 'cert_authority_invalid' and it's "Go Daddy Secure Certificate
> Authority - G2". And it gets worse - whenever I go to the location and
> use my own laptop, the very one that 'works' when at my office, I ALSO
> get the error. AND EVEN WORSE - when I connect to my cell phone provided
> hotspot, the error goes away!
>
> As weird as this all sounds, I got it nailed down to one device -
> they have a Cisco/Meraki MX64W as their internet gateway - and when I
> remove that device from the chain and go 'straight' out to the internet,
> suddenly, the certificate problem goes away entirely.
>
> How is this possible? Can anyone comment on these devices and tell
> me what might be going on here?
Sounds like deep packet inspection (DPI) with SSL MITM. Reading
https://meraki.cisco.com/lib/pdf/meraki_datasheet_mx.pdf
makes me believe that this device can do that. Look for it's
configuration, DPI for HTTPS must be active.
--
Eygene Ryabinkin, National Research Centre "Kurchatov Institute"
Always code as if the guy who ends up maintaining your code will be
a violent psychopath who knows where you live.
More information about the NANOG
mailing list